> Digest auth protects your password very well (it's not sent over the network at all). It does not
> protect the contents or URL or any other part of the request like SSL does. It is very hard to
> calculate a password based on its MD5 hash alone.
Yes, it protects the password perfectly. But that just stops a person
from using your username and password to login with. It's remarkably
easy to just send the username and digest and gain access to all the
same things. Most people who would have the skills to glean your
username/password from the communications would know how to do this.
So it only offers the illusion of security.
-Dan